Skillv1.0.1

ClawScan security

OpenClaw Warden Pro · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 11, 2026, 9:00 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions broadly match its stated purpose (detect and respond to workspace threats), but it performs powerful local modifications (restores, quarantines, rollbacks) and has a few small coherence issues you should review before enabling automated hooks.
Guidance: This skill appears to do what it says: it scans the workspace and can automatically restore files, rename skill directories to quarantine them, and run git rollbacks. Before installing or enabling automatic hooks, do the following: 1) Review the full integrity.py script locally to confirm there are no unexpected network calls or hidden behavior (the provided code appears local only). 2) Ensure you have backups of your workspace (and your git history) — 'protect' may restore or roll back files automatically. 3) Install and verify git is available if you plan to use rollback; the registry entry doesn't list git as a required binary but the feature expects a git repo. 4) Test the tool in a disposable test workspace to observe how snapshots are stored (it uses .integrity/snapshots) and how quarantine renames skill directories (prefix .quarantined-). 5) Be cautious about adding the SessionStart hook or heartbeat automation until you trust the baseline/snapshot state — automatic runs can be disruptive. If you want minimal risk, run the detection commands manually rather than wiring 'protect' to automatic startup.
Findings: [ignore-previous-instructions] expected: The SKILL.md and README deliberately enumerate prompt-injection patterns (including 'ignore previous instructions'). The pre-scan detector flagged this string, but its presence is consistent with the skill's purpose of detecting such patterns.

Review Dimensions

Purpose & Capability: noteThe name/description (workspace integrity + automated countermeasures) align with the provided script and commands (baseline, verify, protect, restore, quarantine, rollback). The declared runtime requirement is only python3, which fits the shipped Python script. Minor discrepancy: the SKILL.md and README advertise a 'git rollback' feature but the registry metadata does not declare 'git' as a required binary; the script likely invokes git or expects a git repo, so git should be present but is not listed.
Instruction Scope: noteSKILL.md explicitly instructs the agent to run local commands that scan the workspace and perform automated countermeasures (restore snapshots, rename skill directories to quarantine, run git rollbacks). These actions are within the declared purpose but are destructive/potentially disruptive if run without review. The SKILL.md also recommends adding an automatic SessionStart hook to run 'protect' at startup — this elevates the chance of automatic file modification. The pre-scan injection pattern ('ignore previous instructions') appears in the doc because the tool enumerates prompt-injection patterns to detect; this is expected for a security scanner.
Install Mechanism: okNo install spec — instruction-only + included Python script. Nothing is downloaded or executed from external URLs during installation. This is the lower-risk install model. The script writes snapshots into a .integrity directory within the workspace when baseline is taken (expected behavior).
Credentials: okThe skill requests no credentials or environment variables in the registry metadata. It uses OPENCLAW_WORKSPACE (documented) and the current working directory as workspace discovery mechanisms — both are reasonable for its function. No external API keys or unrelated secrets are requested.
Persistence & Privilege: notealways:false (good). The skill is user-invocable and allows autonomous invocation (default platform behavior). The SKILL.md recommends adding a SessionStart hook to run 'protect' automatically; enabling this gives the skill the ability to autonomously modify workspace files each session (restore, quarantine, rollback). This is coherent with the advertised 'Pro' behavior but is a high-privilege, potentially destructive operational mode that a user should opt into deliberately.